Skip to content

docs: remove npm token release guidance #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
faraa2m merged 1 commit into from
May 20, 2026
Merged

docs: remove npm token release guidance #47

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ The release pipeline is **fully unified** — one merge of the Version Packages

1. If `.changeset/` has any pending changesets, the workflow opens (or updates) a **Version Packages** PR that auto-bumps `package.json` versions and auto-generates `CHANGELOG.md` entries.
2. Merging that PR triggers the same workflow to:
- Publish `tokenometer` + `@tokenometer/core` to npm with provenance.
- Publish `tokenometer`, `@tokenometer/core`, and `@tokenometer/mcp` to npm with provenance through npm Trusted Publishing / GitHub OIDC.
- Create a GitHub Release on the new tag (GitHub Marketplace listens to that and republishes the Action's listing).
- Build a fresh `.vsix` and publish the VS Code extension to the **VS Code Marketplace** (`vsce`) and **Open VSX** (`ovsx`, the registry Cursor + VSCodium read from).
- HTTP-verify the GitHub Marketplace listing (best-effort — propagation can take a few minutes).
Expand All @@ -108,11 +108,12 @@ Before merging the Version Packages PR, you can sanity-check the build locally w

Required secrets in repo settings → Secrets and variables → Actions:

- `NPM_TOKEN` — npm automation token.
- `VSCE_PAT` — Personal Access Token from https://dev.azure.com (Marketplace publisher → Manage Tokens, scope: Marketplace → Acquire + Manage). If absent, the VS Code Marketplace step is skipped with a clear notice.
- `OVSX_PAT` — Personal Access Token from https://open-vsx.org (User Settings → Access Tokens). If absent, the Open VSX step is skipped.
- `VERCEL_DEPLOY_HOOK` — Deploy hook URL from Vercel project settings (optional; the playground also rebuilds automatically on every push to main).

npm package publishing does not use a repository secret. Configure npm Trusted Publisher bindings for `tokenometer`, `@tokenometer/core`, and `@tokenometer/mcp` to point at `faraa2m/tokenometer` and `.github/workflows/release.yml`.

## Questions

Use [Discussions](https://github.com/faraa2m/tokenometer/discussions). Issues are for bugs and concrete proposals.
57 changes: 0 additions & 57 deletions scripts/diagnose-npm-token.sh
View file
Open in desktop

This file was deleted.

59 changes: 0 additions & 59 deletions scripts/publish-with-token.sh
View file
Open in desktop

This file was deleted.

Loading